ML Security PapersRevoking Amnesia: RL-based Trajectory Optimization to Resurrect Erased Concepts in Diffusion Models
Daiheng Gao 1, Nanxiang Jiang 2, Andi Zhang 3, Shilin Lu 4, Yufei Tang 5, Wenbo Zhou 1, Weiming Zhang 1, Zhaoxin Fan 2
Published on arXiv
2510.03302
Input Manipulation Attack
OWASP ML Top 10 — ML01
Key Finding
RevAm resurrects erased concepts with superior fidelity while reducing computation time by 10× compared to UnlearnDiffAtk, Ring-A-Bell, and Reason2Attack.
RevAm (Revoking Amnesia)
Novel technique introduced
Concept erasure techniques have been widely deployed in T2I diffusion models to prevent inappropriate content generation for safety and copyright considerations. However, as models evolve to next-generation architectures like Flux, established erasure methods (\textit{e.g.}, ESD, UCE, AC) exhibit degraded effectiveness, raising questions about their true mechanisms. Through systematic analysis, we reveal that concept erasure creates only an illusion of ``amnesia": rather than genuine forgetting, these methods bias sampling trajectories away from target concepts, making the erasure fundamentally reversible. This insight motivates the need to distinguish superficial safety from genuine concept removal. In this work, we propose \textbf{RevAm} (\underline{Rev}oking \underline{Am}nesia), an RL-based trajectory optimization framework that resurrects erased concepts by dynamically steering the denoising process without modifying model weights. By adapting Group Relative Policy Optimization (GRPO) to diffusion models, RevAm explores diverse recovery trajectories through trajectory-level rewards, overcoming local optima that limit existing methods. Extensive experiments demonstrate that RevAm achieves superior concept resurrection fidelity while reducing computational time by 10$\times$, exposing critical vulnerabilities in current safety mechanisms and underscoring the need for more robust erasure techniques beyond trajectory manipulation.
Key Contributions
- Reveals that concept erasure methods create only an illusion of amnesia by biasing sampling trajectories rather than inducing genuine forgetting, making erasure fundamentally reversible
- Proposes RevAm, a score-and-steer controller using GRPO-adapted RL to dynamically redirect the denoising velocity field at inference time without modifying model weights
- Demonstrates 10× speedup over UnlearnDiffAtk with superior concept resurrection fidelity, exposing critical vulnerabilities in current diffusion model safety mechanisms
🛡️ Threat Analysis
RevAm is an inference-time evasion attack that manipulates the internal denoising velocity field to bypass concept erasure safety mechanisms — the model's weight-based safety controls (ESD, UCE, AC) are evaded by dynamically steering sampling trajectories, causing the model to produce outputs it was explicitly modified to suppress. This is an inference-time evasion of a model safety control, fitting ML01's core of causing incorrect/bypassed outputs at inference time through adversarial manipulation.